I will try to make the long story short: 2 W2K3 forests with transitive forest trust (abc.com and xyz.com) xyz.com is "resource forest" abc.com is "user accounts forest" (child.abc.com is a child domain)
I logged on to forest xyz.com DC with account from child domain of forest abc.com ([EMAIL PROTECTED]) which is a member of local Administrators group in xyz.com domain I created a new GPO and edited the GP object's ACL: - domain local group "XYZ\NewGPOOwner" contains a domain global group from the child domain of the other forest: CHILD\xyzGPOOwners - Account I am logged on with is a member of CHILD\xyzGPOOwners which makes me also a member of ABC\NewGPOOwners - Added a domain local group "XYZ\NewGPOOwners" with Full permissions except "Apply Group Policy" (this makes it Read/Write and Create/Delete child objects) - Removed myself from the ACL - Changed the owner of the object to "XYZ\NewGPOOwners" domain local group. Now the funny part: All permissions behave as expected: I can modify the GPO, change permissions, change owner, etc... BUT if I go to Effective permissions tab and select my [EMAIL PROTECTED] account, it shows me that I have read only permissions (just like Authenticated Users). If I select CHILD\xyzGPOOwners group from account forest (member of XYZ\NewGPOOwner group), the UI shows that the group has no permissions. If I select XYZ\NewGPOOwner group, I get the correct permissions. A little bit confusing and quite inconsistent I would say... To me it looks like security principals are not processed correctly by UI, but the OS enforces the correct permissions. >From wht I understand, this behavior is similar to partial SID filtering: the SIDs of user groups from another forest are not enumerated by UI (despite the fact that the OS enumerates the group membership correctly) Any ideas ? Thanks, Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
